Re: FreeBSD 13 + CertBot + OpenSSL 3 - status?

Reply: DutchDaemon - FreeBSD Forums Administrator : "Re: FreeBSD 13 + CertBot + OpenSSL 3 - status?"
Reply: DutchDaemon - FreeBSD Forums Administrator : "Re: FreeBSD 13 + CertBot + OpenSSL 3 - status?"
In reply to: Dutch Daemon - FreeBSD Forums Administrator: "Re: FreeBSD 13 + CertBot + OpenSSL 3 - status?"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Vidar Karlsen <vidar_at_karlsen.tech>
Date: Wed, 25 Oct 2023 09:12:18 UTC

On Wed, Oct 25, 2023 at 09:22:11AM +0200, Dutch Daemon - FreeBSD Forums Administrator wrote:
> On October 24, 2023 14:54:40 DutchDaemon - FreeBSD Forums Administrator
> <DutchDaemon@FreeBSD.org> wrote:
> > Does anyone in 'port land' know what the current developments are wrt
> > CertBot (or py-crypto under its hood)?
> > CertBot is happily compiling against OpenSSL 3 from ports, but when
> > running 'certbot', the crypto side of it talks to the base system
> > OpenSSL 1.1.1, hence failing because the OpenSSL 1.1.1 library does not
> > understand the OpenSSL 3 calls made to it.
> > From what I understood, this was due to an error/regression in
> > pkgconf(?) which causes some type of 'path reversal' that causes
> > py-crypto to ignore the OpenSSL it was compiled against, favoring the
> > base system library.
> > I either have to revert a whole lot of servers back to OpenSSL 1.1.1w
> > from ports in order to renew certificates, or wait for "any movement" in
> > getting the path reversal addressed/fixed.
> > So: does anyone know where we're at with this?
> 
> 
> Memory jog:
> 
> 
> Traceback (most recent call last):
> File "/usr/local/bin/certbot", line 33, in <module>
>   sys.exit(load_entry_point('certbot==2.6.0', 'console_scripts', 'certbot')())
> File "/usr/local/bin/certbot", line 25, in importlib_load_entry_point
>   return next(matches).load()
[...]
> File "/usr/local/lib/python3.9/site-packages/cryptography/exceptions.py",
> line 9, in <module>
>   from cryptography.hazmat.bindings._rust import exceptions as rust_exceptions
> ImportError: /usr/local/lib/python3.9/site-packages/cryptography/hazmat/bindings/_rust.abi3.so:
> Undefined symbol "EVP_default_properties_is_fips_enabled"

What solved this problem for me was to apply the v2 patch from the
pkgconf PR 273961 [1].

The next hurdly you'll probably run into [2] can be solved by running
certbot with the following env variable:
CRYPTOGRAPHY_OPENSSL_NO_LEGACY=1

[1] https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=273961
[2] https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=273656

Hope this helps!

-- 
Vidar